b'   October 11, 2002\n\n\n\n\nInformation\nSystem Security\nSecurity Controls for the Defense\nProcurement Payment System\n(D-2003-009)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality               Integrity       Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General of the\n  Department of Defense Home Page at www.dodig.osd.mil/audit/reports or contact\n  the Secondary Reports Distribution Unit of the Audit Followup and Technical\n  Support Directorate at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                      Inspector General, Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or by\n  writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900. The\n  identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\n\nAIS                   Automated Information System\nCOOP                  Continuity of Operations Plan\nDAA                   Designated Approving Authority\nDCD                   Defense Finance and Accounting Service Corporate Database\nDCII                  Defense Finance and Accounting Service Corporate Information\n                         Infrastructure\nDFAS                  Defense Finance and Accounting Service\nDISA                  Defense Information Systems Agency\nDITSCAP               Defense Information Technology System Certification and\n                         Accreditation Process\nDPPS                  Defense Procurement Payment System\nGISRA                 Government Information Security Reform Act\nMOA                   Memorandum of Agreement\nPMO                   Program Management Office\nSLA                   Service Level Agreement\nSSAA                  System Security Authorization Agreement\n\x0c\x0c         Office of the Inspector General of the Department of Defense\nReport No. D-2003-009                                                  October 11, 2002\n  (Project No. D2002FH-0007)\n\n                        Security Controls for the Defense\n                         Procurement Payment System\n\n                                Executive Summary\n\nWho Should Read This Report and Why? Information technology professionals who\nare responsible for system development and system changes and prospective users of\nsystems under development or undergoing major modifications will be most interested in\nthe progress of the program discussed in this report.\n\nBackground. On May 21, 1997, the Under Secretary of Defense (Comptroller)/Chief\nFinancial Officer directed the move to a paper-free contracting process, which would\nmodernize the acquisition processes of contract writing, administration, finance, and\nauditing. The Defense Finance and Accounting Service initiated the Defense\nProcurement Payment System (DPPS) as part of the DoD Paper-Free Contracting\nInitiative. This report addresses the system\xe2\x80\x99s compliance with DoD security policy.\nDPPS is a component of the information infrastructure architecture and is an Oracle-\nbased Federal financial system that uses standard, shareable data. DPPS will eliminate\nthe need for multiple systems that process contract and vendor payments. As of April\n2002, the total dollar value expended for system development was $80 million. The life-\ncycle costs are estimated to be $550.5 million.\n\nResults. The Defense Finance and Accounting Service did not provide reasonable\nassurance that the general security controls for the initial development of DPPS were\nadequate. DPPS did not fully implement the requirements to be reviewed under the\nGovernment Information Security Reform Act and if fielded as is would operate without\nbasic security elements such as proper access controls and a contingency plan. As a\nresult, existing weaknesses may lead to unauthorized access by potential users that may\nresult in undetected alteration or misuse. Those weaknesses may also cause DPPS to\nnegatively impact the Defense Finance and Accounting Service Corporate Information\nInfrastructure system interoperability. To improve system security and eradicate existing\nweaknesses, the DPPS Program Management Office should:\n\n              \xe2\x80\xa2   revise the System Security Authorization Agreement and the\n                  memorandum of agreement in accordance with the current directive,\n\n              \xe2\x80\xa2   review security documents of the Defense Corporate Database,\n\x0c       \xe2\x80\xa2   test the continuity of operations plan for the system,\n\n       \xe2\x80\xa2   develop standard operating procedures for obtaining access to the\n           system, and\n\n       \xe2\x80\xa2   implement fully the provisions of the DoD guidance to bring the\n           system into full compliance with the Government Information Security\n           Reform Act.\n\nSee the Finding section of the report for details on the audit results and complete\ndetailed recommendations.\n\nManagement Comments and Audit Response. The Defense Finance and\nAccounting Service Chief Information Officer concurred with the finding and\nrecommendations and agreed to implement the requirements necessary to improve\nthe system security of the Defense Procurement Payment System. Management\ncomments were partially responsive. We cannot be certain that all requirements\nof the Government Information Security Reform Act will be met. Accordingly,\nwe revised the recommendation to clarify our intent that the Defense Finance and\nAccounting Service Chief Information Officer should implement the provisions of\nthe DoD Information Technology Security Certification and Accreditation\nProcess. This would ensure that the Defense Procurement Payment System is in\nfull compliance with the Government Information Security Reform Act. We\nrequest that the Defense Finance and Accounting Service Chief Information\nOfficer provide comments on the final report by November 29, 2002.\n\n\n\n\n                                     ii\n\x0cTable of Contents\n\nExecutive Summary                                                                i\n\n\nBackground                                                                      1\n\n\nObjectives                                                                      3\n\n\nFinding\n     Security Controls for the Initial Development of the Defense Procurement\n       Payment System                                                            4\n\nAppendixes\n     A. Scope and Methodology\n          Management Control Program Review                                     15\n          Prior Coverage                                                        16\n     B. Report Distribution                                                     17\n\nManagement Comments\n     Defense Finance and Accounting Service                                     19\n\x0cBackground\n    Origin of the Defense Procurement Payment System. On May 21, 1997, the\n    Under Secretary of Defense (Comptroller)/Chief Financial Officer directed the\n    move to a paper-free contracting process, which would modernize the acquisition\n    processes of contract writing, administration, finance, and auditing. The Defense\n    Finance and Accounting Service (DFAS) initiated the Defense Procurement\n    Payment System (DPPS) as part of the DoD Paper-Free Contracting Initiative.\n    The mission need for DPPS was derived from the DFAS Strategic Business Plan\n    and Chief Financial Officer 5 Year Plan to improve systems\xe2\x80\x99 capabilities and\n    business processes for finance and accounting. The vision for DPPS is to\n    modernize business processes and define standard and shareable data for contract\n    and vendor payments. DPPS should alleviate the need for multiple systems\n    currently used for contract and vendor payments. Through DPPS, contract and\n    vendor payments will be integrated into a standardized on-line computer-\n    processing environment. DPPS will merge both functional areas to operate from\n    common data rather than duplicated or unmatched data records residing in various\n    databases and in hard copy form.\n\n    In April 1995, DFAS initiated the DPPS program. In September 1996, DFAS\n    decided to purchase a commercial off-the-shelf package for DPPS instead of\n    developing the DPPS software. In June 1998, DFAS decided to purchase an\n    Oracle-based project. The commercial off-the-shelf award was $24 million, and\n    the commercial off-the-shelf package was $5.7 million. As of April 2002, the\n    total dollar value expended including salaries was $80 million. DFAS expended\n    $51 million of the total dollar value on Oracle obligations. The estimated\n    life-cycle costs are $550.5 million. Currently, DPPS is under Milestone 2\n    approval and is expected to reach Milestone 3 approval by September 2003.\n\n    Interfacing Systems and Procurement Process. Figure 1 shows how data will\n    be processed through DPPS. DPPS will directly or indirectly interface with the\n    following systems through the DFAS Corporate Information Infrastructure\n    (DCII): DFAS Corporate Database (DCD), Defense Standard Disbursing System,\n    Standard Procurement System, and Wide Area Workflow.\n\n    DPPS is one of many systems that encompass the DCII environment. DCII is an\n    enterprise architecture that modernizes and integrates the financial operations\n    using DoD-wide standard software initiatives that operate on a standard\n    infrastructure. DCD will serve as the main hub to process data received from all\n    systems. The function of DCD is to consolidate data from several systems into\n    one standard manner. DPPS is an Oracle-based Federal financial system that uses\n    standard, shareable data and the most recent advances in e-commerce.\n\n\n\n\n                                        1\n\x0c Figure 1. DPPS Processing Flow\n\n\nDPPS has been modified to function in the DFAS environment and will become\nthe standard entitlement system. DPPS will eventually replace the entitlement\nfunction for a number of systems to include the:\n\n       \xe2\x80\xa2   Automated Voucher Examination and Disbursing System,\n\n       \xe2\x80\xa2   Computerized Accounts Payable System,\n\n       \xe2\x80\xa2   Defense Integrated Subsistence Management System,\n\n       \xe2\x80\xa2   Integrated Accounts Payable System,\n\n       \xe2\x80\xa2   Mechanization of Contract Administration Services,\n\n       \xe2\x80\xa2   Standard Automated Material Management System,\n\n       \xe2\x80\xa2   Standard Automated Voucher Examination System, and\n\n       \xe2\x80\xa2   Standard Accounting and Reporting System.\n\nOnce functional, DPPS will receive contract, receipt, invoice, and funding data\nauthorization from DCD. DPPS will also send data to DCD.\n\n\n\n\n                                    2\n\x0cObjectives\n    The overall objective was to evaluate the adequacy of the DPPS security controls.\n    The audit included a review of general controls. We also reviewed the adequacy\n    of the management control program as it related to the overall audit objective.\n    See Appendix A for details on the scope and methodology, management control\n    program, and prior audit coverage.\n\n\n\n\n                                        3\n\x0c           Security Controls for the Initial\n           Development of the Defense Procurement\n           Payment System\n           DFAS did not provide reasonable assurance that the general security\n           controls for the initial development of DPPS were adequate. This\n           occurred because in its initial development of DPPS, DFAS did not\n           properly implement the first two phases of the DoD security guidance for\n           system security and accreditation. Specifically, DFAS did not address the\n           minimum-security requirements in the System Security Authorization\n           Agreement (SSAA) to include the weaknesses identified in the DCD\n           system. In addition, critical documents required in the SSAA; such as the\n           continuity of operations plan (COOP), the memorandum of agreement\n           (MOA), the service level agreement (SLA), and the roles and\n           responsibilities of users; did not contain the information needed to ensure\n           the security of DPPS. DPPS did not fully implement the requirements to\n           be reviewed under the Government Information Security Reform Act (the\n           Act) and, if fielded as is, would operate without basic security elements\n           such as proper access controls and a contingency plan. As a result, data\n           integrity may be compromised because of system availability,\n           unauthorized access, undetected alteration, or general misuse. Although\n           DFAS may correct all shortfalls prior to the deployment of DPPS, the time\n           needed to make the system changes necessary to properly secure DPPS\n           may negatively impact interoperability of the DCII system.\n\n\nSecurity Guidance\n    General Provisions of the Government Information Security Reform Act.\n    The October 30, 2000, Floyd D. Spence National Defense Authorization Act of\n    FY 2001 (Public Law 106-398), includes title X, subtitle G, \xe2\x80\x9cGovernment\n    Information Security Reform Act,\xe2\x80\x9d (GISRA). The GISRA states that each\n    Federal agency is responsible for:\n\n           \xe2\x80\xa2   implementing a security program that ensures the integrity,\n               confidentiality, authenticity, availability, and nonrepudiation of\n               information systems supporting agency operations;\n\n           \xe2\x80\xa2   ensuring that the information security plan is followed throughout the\n               life cycle of the system; and\n\n           \xe2\x80\xa2   developing, implementing, and evaluating information security\n               policies and control techniques.\n\n    Office of Management and Budget Guidance. Office of Management and\n    Budget (OMB) Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\n    Information Resources,\xe2\x80\x9d November 30, 2000, establishes a minimum set of\n    controls to be included in the Federal automated information security program.\n    The Office of Management and Budget guidance also assigns responsibility for\n\n\n                                         4\n\x0csecurity, security planning, periodic review of security controls and links, agency\nautomated information security programs, and agency management control\nsystems. In addition, the guidance should ensure that risk and potential for loss\nare understood and minimized.\n\nDoD Directive 5200.28. DoD Directive 5200.28, \xe2\x80\x9cSecurity Requirements for\nAutomated Information Systems (AIS),\xe2\x80\x9d March 21, 1988, states that the security\npolicy must be considered throughout the entire life of the AIS from the\nbeginning of concept development, through design, development, operation, and\nmaintenance until replacement or disposal. A Designated Approving Authority\n(DAA) shall be designated as responsible for the overall security of the AIS to\ninclude approval of accreditation. The AIS developer must ensure early and\ncontinuous involvement of the users, information system security officers, data\nowners, and DAA(s) in defining and implementing security requirements of the\nAIS. The AIS developer should also develop an evaluation plan for the AIS\nshowing progress toward meeting full compliance with stated security\nrequirements through the use of necessary computer security safeguards. DoD\nDirective 5200.28 also states that an MOA should be implemented when one DoD\nComponent AIS interfaces with another DoD Component AIS. The MOA should\ninclude a description and classification of the data, clearance levels of the users,\ndesignation of the DAA who should resolve conflicts among each DAA, and\nsafeguards to be implemented before interfacing each AIS. DoD\nDirective 5200.28 is necessary to protect the DoD investment in obtaining and\nusing information and to prevent fraud, waste, and abuse.\n\nDoD Information Technology System Certification and Accreditation\nProcess Instruction. DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\nSecurity Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30,\n1997, defines four phases that lead to the system security and accreditation\nprocess. Phase 1 requires the establishment of an SSAA among each DAA,\nCertification Authority, system user representatives, and the program manager.\nThe SSAA documents agreements among the parties relating to system mission,\nenvironment, architecture, threats, levels of effort, and security requirements for\ncertification and accreditation. Phase 2 activities verify the evolving systems\ncompliance with the requirements agreed on in the SSAA. Phase 3 activities\nvalidate that the preceding work has produced an information system that operates\nin a specified computing environment with an acceptable level of residual risk.\nPhase 4, the Post Accreditation phase, contains activities necessary to monitor\nsystem management and operation to ensure an acceptable level of residual risk is\npreserved.\n\nDoD Manual 8510.1-M, \xe2\x80\x9cDoD Information Technology Security Certification\nand Accreditation Process (DITSCAP) Application Manual.\xe2\x80\x9d DoD\nManual 8510.1-M, \xe2\x80\x9cDoD Information Technology Security Certification and\nAccreditation Process Application Manual,\xe2\x80\x9d July 31, 2000, is issued under the\nauthority of DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997. It\nprovides implementation guidance to standardize the certification and\naccreditation process throughout DoD.\n\n\n\n\n                                     5\n\x0c    DFAS System Security Guidance. DFAS Regulation 8000.1-R, \xe2\x80\x9cDFAS\n    Information Assurance Policy,\xe2\x80\x9d as revised, November 1, 2001 (the Regulation),\n    implements the information assurance policies stated in Circular No. A-130. The\n    Regulation provides the structure for carrying out security policies,\n    responsibilities, and procedures for DFAS systems security personnel, which all\n    DFAS sites and programs are required to follow. The Regulation also establishes\n    the DFAS Chief Information Officer as the DAA for all DFAS networks and\n    information systems.\n\n    After reviewing guidance regarding security controls over automated information\n    systems, we found problems with the adequacy of the SSAA developed for DPPS.\n    Specifically, DFAS did not address the minimum-security requirements outlined\n    in DoD guidance. The minimum-security requirements that were not addressed in\n    the SSAA involve risk management, contingency planning, data integrity,\n    accountability and access controls, and least privilege. Security requirements\n    should be followed so that only authorized persons can access information and the\n    information is used for its intended purpose. Security requirements should also\n    ensure that information retains its content integrity and is available when needed.\n\n\nSecurity Controls Over DPPS\n    Adequacy of DPPS System Security Authorization Agreement. DoD\n    Directive 5200.28 states that the DAA is responsible for the overall security of\n    DPPS. The DAA for DPPS is the Chief Information Officer for DFAS. DFAS\n    develops the DPPS and is responsible for ensuring that the security requirements\n    for its input, access, and use are adequate. However, the DAA did not provide\n    reasonable assurance that the security controls for the initial development of\n    DPPS were adequate. The DPPS SSAA is a documented agreement of the\n    certification process that is developed by the Program Management Office\n    (PMO). The SSAA required for review by the DAA for certification and\n    accreditation did not adequately address the minimum-security safeguards\n    outlined in DoD Directive 5200.28. Specifically, the SSAA is non-compliant\n    with several major requirements of the DITSCAP. The SSAA did not give a\n    detailed description of the threats that DPPS faces. The DPPS COOP, a part of\n    the SSAA, did not adequately implement service continuity controls to ensure that\n    critical and sensitive data will be protected, and that essential operations would\n    continue in an emergency. The MOA between DPPS and DCD was not complete.\n    The SLA between DFAS and the Defense Information Security Agency (DISA)\n    was also not complete. As of March 2002, the roles and responsibilities for DPPS\n    had not been assigned or tested. The following table provides a list of the specific\n    security requirements for DPPS. The SSAA was generic and did not adequately\n    document the specific requirements of DPPS.\n\n\n\n\n                                         6\n\x0c                      Mandatory DPPS Certification and\n                        Accreditation Requirements\n\n     Specific Security Requirements for DPPS                  Adequate\n     Specific contingency plan for DPPS                          No\n     Specific risk assessment for DPPS                           No\n     Specific network and physical security                     Yes\n     Specific accreditation survey for DPPS                      No\n     Specific configuration management program                  No\n     Specific security program for DPPS                         Yes\n     Specific memorandum of agreement                           No\n     Specific Service Level Agreement                            No\n     Specific Certification Analysis                            Yes\n     Specific Roles and Responsibilities for DPPS                No\n\n\n       DPPS Vulnerabilities. As part of the DCII, DPPS will receive data from\nmultiple sources via the DCD interface. The DCD is the central component in the\nDoD end-to-end procurement process. Once the disbursing functionality is\ndeployed, the DCD will provide a single, logical database in which all shared\nDFAS financial data will be stored and maintained for on-line transaction\nprocessing. The DCD, as well as the DPPS, is part of the target-automated\nenvironment along with other systems. Those systems will share data using the\nDCD. DFAS officials stated that if the DCD experienced a failure, DPPS would\nnot have the necessary data to operate.\n\nInspector General DoD Report No. D-2002-067, \xe2\x80\x9cSecurity Controls Over the\nDefense Finance and Accounting Service Corporate Database,\xe2\x80\x9d March 20, 2002,\naddresses security issues found during a review of security controls of the DCD.\nIn the report, several weaknesses were found in the execution of DCD security\ncontrols. Specifically, the report stated that access controls were weak, a training\nprogram for users was not provided, and the COOP had been in draft since 1999.\nIn addition, the COOP had not been tested at the time the report was issued. Prior\nto fielding the DCD, neither a system security review nor penetration testing were\nrequested. Figure 2 illustrates the procurement process in the DCII environment.\n\n\n\n\n                                     7\n\x0cFigure 2. DFAS Corporate Database Interfaces\n\nThe DPPS PMO was not aware of the inadequate security safeguards in the DCD.\nThe PMO requested and received a copy of the Inspector General DoD Report\nNo. D-2002-067 that discussed the security controls weaknesses in the DCD. The\nPMO found that the problems in the DCD would be relevant to DPPS. As of\nApril 2002, the weaknesses identified in the DCD had not been included in the\nDPPS SSAA. The threats discussed in the DPPS SSAA were general to the DCII\nenvironment. The SSAA did not include the security plans for the other\napplications in the DCII environment.\n\nDuring Phase 2 of the DITSCAP process, certification tasks and a vulnerability\nassessment are to be performed. For DPPS, the vulnerability assessment task\nnoted the following weaknesses.\n\n     \xe2\x80\xa2   The current version of the application may not provide for recommended\n         encryption levels.\n\n     \xe2\x80\xa2   The application does not enforce \xe2\x80\x9cstrong\xe2\x80\x9d passwords, which could lead\n         to hacking incidents and loss of data integrity.\n\n\n\n\n                                    8\n\x0c     \xe2\x80\xa2   The audit fields may not properly capture the data necessary to verify\n         transactions.\n\n     \xe2\x80\xa2   The data may not be extractable for audit.\n\nTo achieve accountability and prevent fraudulent transactions from occurring, the\nweaknesses must be corrected. The PMO may recommend that the certification\nprocess continue while monitoring the mitigation of the vulnerabilities. The\nlength of time needed to correct the vulnerabilities may slow the process, which\nleaves the security of DPPS in question. Additionally, some of the vulnerabilities\nwere rated serious enough to recommend that the system not be deployed until\nthey are corrected.\n\n        DPPS Continuity of Operations Plan. A COOP is required as part of the\ndocumentation developed during the certification and accreditation process. The\nobjective of the COOP is to provide reasonable continuity of automated\ninformation systems support if events occur that prevent normal operations. Each\nCOOP should be tested periodically under realistic conditions. The requirements\nof DoD Instruction 5200.40 state that the COOP should be prepared during\nPhase 1 of the certification and accreditation process. DoD Instruction 5200.40\nfurther states that the COOP should be evaluated for feasibility during Phase 2\nand again during Phase 3 to ensure consistency with the requirements set forth by\nthe SSAA. According to the SSAA, Phase 2 of the certification and accreditation\nprocess had occurred during December 2001. During Phase 2, DFAS officials did\nnot have a COOP for DPPS in place. Documentation of a COOP was not\nreceived until January 2002, but was dated June 2002, which, according to DFAS\nofficials, will be the end of Phase 3. Although the COOP states that it will be\ntested and that test plans will be developed, no dates are included stating when the\ntesting will occur. Furthermore, the plan does not contain the information\nnecessary for testing, such as a Business Line COOP and a completed point of\ncontact list in case of an emergency.\n\nThe Business Line COOP should encompass essential day-to-day operations of\nthe user representative. Specifically, the Business Line COOP should identify\nstep-by-step business functions necessary to ensure that contractor and vendor\npayments will be made despite the non-availability of DPPS. The lack of a\nBusiness Line COOP places a scope limitation on the DPPS COOP developed by\nthe PMO. Without a Business Line COOP, DFAS cannot ensure that contractor\nand vendor payments will continue if DPPS becomes unavailable.\n\nThe DPPS COOP lacked a completed point of contact list. Specifically, officials\nwith the authority to declare an emergency and implement the DPPS COOP were\nnot identified. Further, the names of the officials to be contacted during the\ndeclaration of an emergency were not identified. The DPPS COOP contains just\nenough information to be considered adequate for Phase 1 of the certification and\naccreditation process but not for Phase 3 of DPPS. The lack of essential\ninformation limits the ability of the COOP to be tested for adequacy and its\ncompliance with security requirements established in the SSAA.\n\n\n\n\n                                     9\n\x0c        DPPS/DCD Memorandum of Agreement. DoD Directive 5200.28\nstates that when an AIS is managed by a different DAA, or are interfaced or\nnetworked, an MOA is required to address the accreditation requirements for each\nAIS involved. The MOA should include description and classification of the data,\nclearance levels of the users, designation of the DAA who shall resolve conflicts\namong the DAAs, and safeguards to be implemented before interfacing each AIS.\nThe MOA is established to ensure that an accurate and timely transfer occurs\nbetween two systems. An MOA is required any time that two DoD Component\nAISs interface with one another. An MOA is also required when a contractor AIS\ninterfaces with either a DoD Component or to another contractor AIS.\n\nThe DPPS/DCD MOA does not adequately meet the requirements of DoD\nDirective 5200.28. The MOA states that Oracle Advanced Symmetrical\nReplication will facilitate the movement of data between DPPS and DCD. The\nMOA adequately describes how data will transfer between the systems and\ninterfaces; however, it does not discuss the clearance levels of the users. Each\nclearance level for every system and its user should be clearly documented as a\nsafeguard to prevent unauthorized access to both the DPPS and the DCD. In\naddition, the MOA does not clearly assign a DAA. The responsibility of the DAA\nincludes resolving conflicts with each DAA of the respective systems.\n\n        DPPS Roles and Responsibilities. According to the DITSCAP, all\ncertification team\xe2\x80\x99s roles and responsibilities are to be identified for the\ncertification process and defined prior to end-to-end testing. A Role Assignment\nMatrix is being developed to include both the functional and administrative roles\nfor the DPPS release. The matrix will also include job descriptions for DPPS, as\nwell as clearance levels required for those positions. End-to-end testing for DPPS\nwas scheduled to begin in March 2002. However, DFAS had not finalized the\nroles and responsibilities for DPPS.\n\nUnless the roles and responsibilities are finalized, the Security Test and\nEvaluation cannot adequately test the roles and responsibilities for DPPS. The\nSecurity Test and Evaluation involves the testing of the setting up and managing\nof user profiles. Furthermore, without the establishment of the roles and\nresponsibilities, access control issues cannot be achieved. Specifically, the roles\nand responsibilities are the development of a master access control list and\ncoordination with DISA on user identification.\n\n        DPPS Service Level Agreement. DFAS is using the SLA as a guideline\nto meet DPPS security requirements. The SLA documents the agreement reached\nbetween DISA and DFAS. The agreement will provide information technology\ndata processing support and customer support in the performance of a variety of\ninformation technology services, and DFAS. The SLA has three separate but\ninterrelated parts, a basic agreement, a support agreement, and a planning\nestimate.\n\n               Basic Agreement. The basic agreement identifies terms,\nconditions, and responsibilities and incorporates standard information that applies\nto all DISA customers. It outlines administrative responsibilities, customer\nassistance, continuity of operations, and overall security. The basic agreement\nshould have all the essential elements of a complete agreement and describe the\n\n\n                                     10\n\x0coverall responsibilities of both parties. The basic agreement will also serve as the\nbasic reference document for the support agreement between provider and\ncustomer.\n\n               Support Agreement. The support agreement documents the\ncustomer\xe2\x80\x99s requirements and the provider\xe2\x80\x99s technical solutions. The support\nagreement may also document any additions or modifications to the terms and\nconditions or roles and responsibilities covered in the basic agreement. Once\nsigned, the agreement will remain in effect until jointly modified by the customer\nand provider or until terminated by either party.\n\n              Planning Estimate. The planning estimate classifies all projected\nworkload costs for services provided by DISA. The cost estimates will be based\non the most current workload projections provided by the customer.\n\nThe SLA between the DPPS PMO and DISA did not contain all of the necessary\nsecurity information. The basic agreement outlines the responsibilities for DFAS\nand DISA pertaining to access controls. The SLA states that DFAS is responsible\nfor maintaining access control for users of their applications. In addition, the\nSLA states that DISA will maintain access control based on required personnel\nsecurity investigations, need-to-know, and authorization. However, the SLA does\nnot outline the necessary procedures that either organization will follow to\nmaintain access control. The SLA should explain the process for granting,\ngenerating, and maintaining access to DPPS. Otherwise, the intended users of\nDPPS could implement inconsistent access control procedures.\n\nCompliance with the General Provisions of Government Information\nSecurity Reform Act. The Government Information Security Reform Act (the\nAct) directs each Federal agency to evaluate its information security program and\npractices annually and, as part of the budget process, submit the results to the\nOffice of Management and Budget. The Act covers unclassified and national\nsecurity systems to create a consistent security management framework for each\nsystem. The Act establishes parallel requirements for the agency and the agency\nInspector General. The Act requires the Office of the Inspector General to\nevaluate the DoD information security program and practices and to\nindependently select and test a subset of systems to confirm the effectiveness of\nthe information security program. Although DPPS is not part of the subset of\nsystems, DPPS compliance with the Act is still required.\n\nDPPS is currently under Milestone 2 approval and is expected to reach Milestone\n3 approval by September 2003. As a result, DPPS did not fully implement the\nrequirements to be reviewed under the Act. For example, the PMO should report\nany material weaknesses in policies and procedures and system design and\nimplementation.\n\n\n\n\n                                     11\n\x0c    Specifically, in order to comply with the Act, the PMO should:\n\n           \xe2\x80\xa2   assess any risk to operations and assets,\n\n           \xe2\x80\xa2   determine the level of security appropriate to protect the operations\n               and assets, and\n\n           \xe2\x80\xa2   develop and maintain an up-to-date security plan for DPPS.\n\n    If fielded as is, DPPS would operate without basic security elements to include\n    proper access controls and a contingency plan. Before DPPS is fielded, the PMO\n    should also ensure that employees are sufficiently trained in their security\n    responsibilities and that procedures are established for reporting security\n    incidents. If the PMO takes full advantage of this opportunity to ensure\n    compliance with the Act, both the users of DPPS as well as the PMO will have a\n    solid basis for stating that DPPS is ready for certification and accreditation.\n\n\nImpact of DPPS on the DCII Environment\n    Delays in the development of DPPS have impacted the deployment of the DCII\n    architecture. According to documentation provided by DFAS officials, DPPS was\n    originally expected to take over the duties of the Mechanization of Contract\n    Administration Services in February of 2000. However, delays in the\n    development of the system have pushed back the \xe2\x80\x9cbrownout of the Mechanization\n    of Contract Administration Services\xe2\x80\x9d until the second quarter of FY 2003. More\n    recent delays have been caused as well. Enterprise testing; which involves\n    validating architecture for release build, data migration, and system security; was\n    delayed because application testing of DPPS was not completed. Those tests\n    uncovered defects and additional requirements for DPPS. If DPPS is not properly\n    secured, DFAS may not be able to provide a secure end-to-end procurement\n    process. Without adequate safeguards, the confidentiality and integrity of the\n    information processed, stored, and transmitted, as well as the availability of the\n    system or the information itself could be threatened, thus, risking the security of\n    both the data in DPPS and the data transferable to the DCD.\n\n\nConclusion\n    DPPS is critical to the DFAS mission because when it is fully deployed, it will\n    become the standard entitlement system, replacing several systems currently in\n    use. As part of the DCII architecture, DPPS will receive and transfer data through\n    the DCD from multiple sources. Because data are transferred to and from DPPS,\n    any failure of DPPS would affect those interfacing systems. Therefore, it is\n    important that DPPS has adequate security controls in place. DPPS will have\n    thousands of users throughout the world. DFAS personnel will rely on DPPS to\n    carry out their mission by providing access to financial applications and databases\n\n\n\n\n                                        12\n\x0c    and other information resources found in the DCD. In addition, without a\n    properly tested COOP in place, there is no assurance that DPPS would continue to\n    function in an emergency.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    Revised Recommendation. As a result of management comments, we revised\n    Recommendation 6 to clarify the actions necessary to bring the Defense\n    Procurement Payment System into full compliance with the requirements of the\n    Government Information Security Reform Act.\n\n    We recommend that the Defense Finance and Accounting Service Chief\n    Information Officer direct the Defense Procurement Payment System\n    Program Management Office to:\n\n          1. Revise the System Security Authorization Agreement for Defense\n    Procurement Payment System to comply with DoD Directive 5200.28.\n\n    Management Comments. The Defense Finance and Accounting Service Chief\n    Information Officer concurred and agreed to update the System Security\n    Authorization Agreement and address security requirements from the DoD\n    Directive 5200.28.\n\n           2. Review the security documentation such as test results and audit\n    reports related to the Defense Finance and Accounting Service Corporate\n    Database security.\n\n    Management Comments. The Defense Finance and Accounting Service Chief\n    Information Officer concurred and will review the Defense Finance and\n    Accounting Service Corporate Database security documentation.\n\n          3. Revise, finalize, and test the Defense Procurement Payment System\n    Continuity of Operations Plan.\n\n    Management Comments. The Defense Finance and Accounting Service Chief\n    Information Officer concurred and stated that the Continuity of Operations Plan\n    for the Defense Procurement Payment System will be incorporated with the\n    Defense Finance and Accounting Service Corporate Information Infrastructure\n    plan and will be part of a tabletop exercise scheduled for September 2002.\n\n          4. Revise the Defense Procurement Payment System memorandum of\n    agreement to comply with DoD Directive 5200.28.\n\n    Management Comments. The Defense Finance and Accounting Service Chief\n    Information Officer concurred and agreed to update the memorandum of\n    agreement to clarify the Designated Approving Authority responsibilities and any\n    security clearance levels in their roles using both systems.\n\n\n\n                                       13\n\x0c      5. Develop a standard operating procedure for obtaining access to the\nDefense Procurement Payment System.\n\nManagement Comments. The Defense Finance and Accounting Service Chief\nInformation Officer concurred and stated that the Defense Finance and\nAccounting Service Corporate Information Infrastructure access control standard\noperating procedures have been written to combine the Defense Corporate\nDatabase, the Defense Corporate Warehouse, and the Defense Procurement\nPayment System. The procedures are currently awaiting final approval. These\nstandard operating procedures define the least privilege concept and roles and\nresponsibilities.\n\n       6. Implement fully the provisions of the DoD Information Technology\nSecurity Certification and Accreditation Process to bring the Defense\nProcurement Payment System into full compliance with the requirements of\nthe Government Information Security Reform Act.\n\nManagement Comments. The Defense Finance and Accounting Service Chief\nInformation Officer concurred with the recommendation and stated that the\nDefense Procurement Payment System complied with the Government\nInformation Security Reform Act by providing the Defense Finance and\nAccounting Service management with all requested information needed to fulfill\nthe requirements. The Fiscal Year 2003 Budget Estimate also contains the\nrequired information.\n\nAudit Response. Management comments were partially responsive. Although\nthe Defense Finance and Accounting Service Chief Information Officer provided\nthe Defense Finance and Accounting Service management all information\nrequested, we can not be certain that all requirements of the Government\nInformation Security Reform Act will be met. As a result, we revised the\nrecommendation to clarify our intent that the Defense Finance and Accounting\nService Chief Information Officer should implement the provisions of the DoD\nInformation Technology Security Certification and Accreditation Process to bring\nthe system in full compliance with the requirements of the Government\nInformation Security Reform Act. We request that the Defense Finance and\nAccounting Service Chief Information Officer provide comments on the final\nreport.\n\n\n\n\n                                   14\n\x0cAppendix A. Scope and Methodology\n    We performed this financial-related audit at the DPPS PMO at DFAS Columbus,\n    Ohio, from October 2001 through May 2002. Our review was based on\n    applicable Federal and DoD information security guidance and regulations. We\n    used the DITSCAP criteria for evaluating the SSAA for DPPS. We reviewed the\n    process in which DFAS intends to implement its security program, access\n    controls, and service continuity for DPPS. We interviewed the DAA for DPPS,\n    project director for the DCII, project manager for DPPS, and the user\n    representatives. We interviewed the DPPS Information System Security Officer\n    to determine how they plan to implement security over DPPS.\n\n    We reviewed the DPPS SSAA of August 2001 and supporting documentation.\n    We also analyzed the SLA between DFAS and DISA. We reviewed the MOA\n    between DPPS and DCD, dated December 30, 2001. The DPPS COOP that we\n    reviewed was post dated June 2002. We reviewed relevant regulations and laws\n    including Public Law 100-235, \xe2\x80\x9cComputer Security Act of 1987,\xe2\x80\x9d and the\n    requirements of the Government Information Security Reform Act, title X,\n    subtitle G, of the FY 2001 Floyd D. Spence National Defense Authorization Act\n    (Public Law 106-398). Additionally, we reviewed DoD Directive 5200.28,\n    \xe2\x80\x9cSecurity Requirements for Automated Information Systems,\xe2\x80\x9d March 21, 1988;\n    DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security Certification\n    and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997; DoD 8510.1-M,\n    \xe2\x80\x9cDoD Information Technology Security Certification and Accreditation Process\n    (DITSCAP) Application Manual,\xe2\x80\x9d July 31, 2000; and DFAS Regulation\n    8000.1-R, \xe2\x80\x9cDFAS Information Assurance Policy,\xe2\x80\x9d as revised, November 1, 2001.\n\n    We performed this audit from October 2001 through July 2002, in accordance\n    with generally accepted government auditing standards. Accordingly, we\n    included tests of management controls considered necessary.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Information Security and the DoD Financial Management high-risk areas.\n\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996, require DoD organizations to implement a comprehensive\n    system of controls that provides reasonable assurance that programs are operating\n    as intended and to evaluate the adequacy of the controls.\n\n\n\n\n                                        15\n\x0c     Scope of the Review of the Management Control Program. We reviewed the\n     adequacy of management controls for the initial development of DPPS.\n     Specifically, we reviewed the FY 2001 DFAS Annual Statement of Assurance\n     and the FY 2001 Contract Pay and Vendor Pay Services Annual Statement of\n     Assurance for DFAS Columbus.\n\n     Adequacy of Management Controls. We identified material management\n     control weaknesses for DFAS as identified in DoD Instruction 5010.40. DFAS\n     did not provide reasonable assurance that the general security controls for the\n     initial development of DPPS were adequate. The recommendations in this report,\n     if implemented, will improve the security controls over DPPS. A copy of the\n     report will be provided to the senior official responsible for management controls\n     at DFAS Headquarters.\n\n     Adequacy of Management\xe2\x80\x99s Self-Evaluation. We reviewed the adequacy of\n     management\xe2\x80\x99s self-evaluation. DFAS officials did not identify DPPS as an\n     assessable unit; therefore, did not identify or report the material management\n     control weakness identified by the audit.\n\n\nPrior Coverage\n\nGeneral Accounting Office\n     GAO-01-525, \xe2\x80\x9cInformation Technology: Architecture Needed to Guide\n     Modernization of DoD\xe2\x80\x99s Financial Operations,\xe2\x80\x9d May 17, 2001.\n\n     GAO-01-307, \xe2\x80\x9cInformation Security: Progress and Challenges to an Effective\n     Defense-wide Information Assurance Program,\xe2\x80\x9d March 30, 2001.\n\nInspector General of the Department of Defense (IG DoD)\n     IG DoD, Report No. D-2002-067, \xe2\x80\x9cSecurity Controls Over the Defense Finance\n     and Accounting Service Corporate Database,\xe2\x80\x9d March 20, 2002.\n\n     IG DoD, Report No. D-2001-095, \xe2\x80\x9cControls for the Electronic Data Interchange\n     at the Defense Finance and Accounting Service Columbus,\xe2\x80\x9d April 6, 2001.\n\n     IG DoD, Report No. D-2001-030, \xe2\x80\x9cOversight of the Defense Finance and\n     Accounting Service Corporate Database Development,\xe2\x80\x9d December 28, 2000.\n\n     IG DoD, Report No. 98-007, \xe2\x80\x9cGeneral and Application Controls Over the\n     Mechanization of Contract Administration Services System,\xe2\x80\x9d October 9, 1997.\n\n\n\n\n                                         16\n\x0cAppendix B. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n\nDepartment of the Army\nAssistant Secretary of the Army (Financial Management and Comptroller)\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\n   Defense Finance and Accounting Service Columbus\n\n\n\n\n                                          17\n\x0cNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International Relations,\n  Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                          18\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                      19\n\x0cFinal Report\n Reference\n\n\n\n\nRevised\nPage 14\n\n\n\n\n               20\n\x0cTeam Members\nThe Defense Financial Auditing Service Directorate, Office of the Assistant Inspector\nGeneral for Auditing of the Department of Defense prepared this report. Personnel of the\nOffice of the Inspector General of the Department of Defense who contributed to the\nreport are listed below.\n\n       Paul J. Granetto\n       Richard B. Bird\n       David F. Vincent\n       Barbara A. Sauls\n       Yolanda C. Watts\n       Randall M. Critchlow\n       Yalonda N. Blizzard\n       Leon D. Bryant\n       Ann Thompson\n\x0c'